I am trying to exploit a C program with a Buffer Overflow. The buffer's size is 44 bytes. (char buffer[44];). I want to overwrite the $eip register with another address, but it seems that neither the $ebp register is being overwritten, nor the $eip. The program just bypasses them, and stars to fill in the addresses after the two registers and it doesn't even give a Segmentation Fault. What might be the problem? I post a photo with an input of 71 "A".
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include "bufsize.h"
char grade = '3';
char Name[44];
void readString(char *s) {
char buf[44];
int i = 0;
int c;
while (1) {
c = fgetc(stdin);
if ((c == EOF) || (c == '\n'))
break;
buf[i++] = c;
}
buf[i] = 0;
for (i = 0; i < 44; i++)
s[i] = buf[i];
return;
}
int main(void) {
mprotect((void*)((unsigned int)Name & 0xfffff000), 1,
PROT_READ | PROT_WRITE | PROT_EXEC);
printf("What is your name?\n");
readString(Name);
if (strcmp(Name, "Alex") == 0)
grade = '6';
printf("Thank you, %s.\n", Name);
printf("I recommend that you get a grade of %c on this assignment.\n",
grade);
exit(0);
}
I want to edit the eip register so that it throws segmentation fault and later edit the eip to make the program print 6 without entering the string "Alex" as input. I put a breakpoint after the while(1) loop and with x/50x $esp I examine the memory addresses to see when the ebp and eip will be overwritten but the program bypasses them and continues to write to memory addresses further.
OK, I just found a solution where I needed to put 44 * "A" and 8 * "5" and then the return address I wanted and it successfully changed, although the memory is like this:
-----[buffer][int c][int i][ebp][eip]-------
44b 4b 4b 4b 4b
So, i insert at the 52 byte position ( 44 * "A" + 8 * "5") but it must be at position 56 normally. It works with 52, but i don't know why.